Decode, generate, verify, inspect, and secure JSON Web Tokens — entirely in your browser.
Generates decode/verify code for a JWT secret + algorithm in 16 frameworks.
A JSON Web Token is three Base64Url-encoded parts joined by dots: a header describing the algorithm, a payload of claims, and a signature that proves the token wasn't tampered with. Anyone can decode the header and payload — they are not encrypted, only encoded — so a JWT should never hold secrets. Only the signature (created with a secret key or private key) protects the token from being forged.
| Claim | Meaning |
|---|---|
iat | Issued-at time, as a Unix timestamp |
exp | Expiration time — the token is invalid after this |
nbf | Not-before time — the token isn't valid until this |
iss | Issuer — who created the token |
aud | Audience — who the token is intended for |
sub | Subject — usually the user ID |
jti | Unique token ID, useful for revocation lists |
The JWT Toolkit is a free, developer-focused workspace built around one of the most common pieces of infrastructure in modern web authentication: the JSON Web Token. Rather than switching between a decoder here, a signature verifier there, and a separate script to check expiration, this toolkit gathers nine dedicated tools into a single page — a decoder, generator, verifier, inspector, expiration calculator, claim editor, algorithm detector, security checker, and a multi-language code generator. Everything runs using your browser's built-in Web Crypto API, so tokens are decoded, signed, and verified locally without ever being sent to a server.
JWTs carry a quiet but important warning: the header and payload are only encoded, not encrypted. Anyone who intercepts a token — or pastes it into an online tool — can read every claim inside it. That makes privacy-respecting tooling especially important here. Pasting a production access token into a random website is a real security risk if that site logs or transmits what you send it. Because this toolkit performs every operation client-side, you can safely debug live tokens, including ones carrying user IDs, roles, or session data, without exposing them to a third party.
The Decoder tab splits a pasted token into its three color-coded segments and renders the header and payload as readable, syntax-highlighted JSON — useful when you just need to see what's inside a token a colleague or an API handed you. The Generator goes the other direction, letting you write your own header and payload, choose HS256, HS384, HS512, or an unsigned "none" algorithm, and produce a working signed token on the spot, complete with a one-click "auto timestamps" helper for setting iat and exp. The Verifier closes the loop: paste a token, supply the matching HMAC secret or an RS256/ES256 public key in PEM format, and the tool recomputes the signature using the Web Crypto API to confirm whether it's genuinely valid — while also flagging a mismatch between the algorithm the token claims and the one you're verifying against, a known attack pattern worth catching early.
Beyond basic decoding, the Inspector runs a structural check across standard claims — confirming the token is well-formed, checking that exp hasn't passed, that iat is a sane past timestamp, and flagging missing fields like iss, aud, sub, or jti. The Expiration Calculator focuses purely on timing, showing exactly when a token was issued, when it becomes valid, and a live, second-by-second countdown to expiration (or a running total of how long ago it expired) — handy when debugging session timeout issues.
The Claim Editor lets you load an existing token, tweak its header or payload directly, and re-sign it with a secret — ideal for testing how your backend handles a modified role, an expired exp, or a missing claim, without having to hand-build a new token from scratch. Quick-add buttons insert common claims like exp, nbf, iss, and jti instantly.
The Algorithm Detector identifies exactly which signing method a token uses and explains whether it's symmetric (HMAC) or asymmetric (RSA/ECDSA), flagging unsigned "none" tokens as insecure outright. The Security Checker goes further, scoring a token out of 100 based on real-world red flags: missing expiration, absent issuer or audience claims, excessively long token lifetimes, or a weak/missing algorithm — the kind of checklist a security review would actually run through, condensed into one click with a downloadable report.
Once you've settled on a secret and algorithm, the Code Generator produces ready-to-use snippets across sixteen frameworks — Node.js, Express, React, Next.js, Python, Django, Flask, Java, Spring Boot, Go, PHP, Laravel, C#, .NET, Ruby, and Rails — so you can implement signing and verification correctly in your own stack without hunting through each library's documentation individually.
Every feature described above — decoding, generating, verifying, editing, and scoring — executes entirely in your browser tab using the Web Crypto API. No token, secret, or key is ever transmitted anywhere, making this a safe tool for debugging real authentication flows, not just sample data.